Facebook patches security hole that allowed mass harvesting of phone numbers

Facebook prevents the abuse of phone number searching on its mobile site by imposing a search-rate limit

By Lucian Constantin, IDG News Service |  Security

Security researchers confirmed that Facebook started limiting the number of searches that can be performed through its mobile website on Monday. However, they doubt that any limitation existed before that time, as suggested by the company's statement.

"Frankly, I don't think such a rate limit ever existed on the mobile version [of the website]," Suriya said Wednesday.

The researcher claims that his tests lasted eight days and included searching for sets of 10,000 phone numbers one after the other using the same account and the same IP address without getting blocked

"My tests were blocked around 10 PM CST on Monday," Borland said Wednesday via email. "I built a check into the original script for logouts or irregular HTTP responses (403, 5xx, 3xx, etc.) for when something like this would happen. Facebook logs you out when your account gets banned, so it was easy to tell when the patch got rolled out."

"I most certainly believe it was fixed when the media frenzy happened," he said. "It was literally less than a day when the story broke out that a fix was pushed out."

Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, confirmed that earlier on Monday he was initially able to use Borland's script to perform over 5,000 search queries. However, when he tried again on Tuesday his Facebook account got locked down for 24 hours.

The search-rate limitation that Facebook implemented on Monday still allowed around 300 requests to be made from an account, Borland said.

This means that attacks were still possible, especially if run from multiple accounts, because of the method's high success rate. "I gathered an average of 40-60 numbers with one account during those 300 requests/account," the researcher said.

However, the limit appears to have been was drastically lowered today. "As of 10 AM CST on Wednesday I could only do 10-30 requests before getting the 'badboy' account lockout," Borland said in a blog post.

"Quite honestly, I'm still not sure why an account name or Facebook id needs to be attached to a phone lookup result," he said. "It should only give an option to send a friend request by that number if it existed, like you would with an email."

"I really wish it did not come to such a public disclosure but they [Facebook] really left me no choice," Suriya said, referring to the breakdown in communication between him and the Facebook Security team that eventually led to his public disclosure on Friday.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question
randomness